Workload Partitioning (WPAR) in AIX 7.1

WPAR systems administration and configuration

Introduction

WPARs are a bold new innovation, implemented within AIX 6.1, that enable you to virtualize your operating system without creating full LPARs on your IBM System p partitioned server. WPARs provide similar levels of isolation, but without the overhead of the full system image. An LPAR requires its own operating system image and a certain number of physical resources. While you can virtualize many of these resources, there are still some physical resources that must be allocated to the system. Furthermore, you need to install patches and technology upgrades to each LPAR. Each LPAR requires its own archiving strategy and disaster recovery strategy. It also takes some time to create an LPAR; you also need to do this outside of AIX, for example through a Hardware Management Console (HMC) or the Integrated Virtualization Manager (IVM).

WPARs are much simpler to manage and can be created from the AIX command line or through SMIT, whereas LPARs cannot. By far the biggest disadvantage of LPARs is the increased management overhead and the potential to overcommit on CPU and RAM resources. In other words, while partitioning helps you consolidate and virtualize hardware within a single box, operating system virtualization through WPAR technology goes one step further and allows for an even more granular approach of resource management. It does this by sharing OS images and is clearly the most efficient use of CPU, RAM, and I/O resources.

Rather than a replacement for LPARs, WPARs are a complement to them and allow you to further virtualize application workloads through operating system virtualization. WPARs allow for new applications to be deployed much more quickly, which is an important side-benefit. In AIX 7.1, it is also possible to create a WPAR either supporting the AIX 7.1 or AIX 5.2 environments, thus making it even easier to consolidate older servers within your new AIX 7.1 environment. On the other side of the coin, it’s important to understand the limitations of WPARs. For example, each LPAR is a single point of failure for all WPARs that are created within the LPAR. In the event of an LPAR problem (or a scheduled system outage, for that matter), all underlying WPARs will also be affected.

WPARS: How and when to use them

In this section, we’ll further define the different types of workload partitions and discuss scenarios where WPARs should be used.

As discussed earlier, WPARs are virtualized operating system environments that are created within a single AIX image. Within AIX 7.1 you can also create an AIX 5.2 specific WPAR for running older application environments, while taking advantage of the lighter resource overheads offered by WPAR over LPAR. While they may be self-contained in the sense that each WPAR has its own private execution environment with its own filesystems and network addresses, they still run inside the global environment. The global environment—the actual LPAR—owns all the physical resources of the logical partition. It is important to also note that the global environment can see all the processes running inside the specific WPARs.

There are two types of WPARs: system workload partitions and application workload partitions. The system WPAR is much closer to a complete version of AIX. The system WPAR has its own dedicated, completely writable filesystems along with its own inetd and cron. Application WPARs are real lightweight versions of virtualized OS environments. They are extremely limited and can only run application processes, not system daemons such as inetd or cron. One cannot even define remote access to this environment. These are only temporarily objects; they actually disintegrate when the final process of the application partition ends, and as such, are more geared to execute processes than entire applications. Overall, WPARs have no real dependency on hardware and can even be used on POWER4 systems that do not support IBM PowerVM (formerly known as APV). For AIX administrators, the huge advantage of WPARs is the flexibility of creating new environments without having to create and manage new AIX partitions. Let’s look at some scenarios that call for the use of WPARs.

Within AIX 7.1, you also have the ability to run AIX 5.2 partitions. These are identical in structure to the AIX 7.1 WPAR, but the application is executed within an environment using the AIX 5.2 system libraries and commands. AIX 5.2 WPARs are always system and not application WPARs. Using the AIX 5.2 WPAR allows you to run AIX 5.2 applications on the newer hardware. The supported AIX 5.2 environment supports technology level 10, and service pack 2 of AIX 5.2.

Application/workload isolation

WPARs are tailor-made for working with test and/or QA and development environments or for running isolated applications within a specifically controlled environment. They also work well with AIX 5.2 partitions and applications that cannot be executed within a native AIX 7.1 level.

Starting with AIX 6.1.6 (TL6) and AIX 7.1 a number of enhancements have been added that can improve the performance of your WPAR, including improvements to the control and allocation of CPU, RAM, and networking support. Most larger organizations have at least three environments for their applications. These include development, testing, and production. Some environments have as many as five, including demo/training and stress/integration environments. Let’s use an example of a common three-tier application environment: web, application server, and database server. In the land of the LPARs, in an environment where you have five isolated environments, you would need to create fifteen LPARs. This is where the WPAR has the most value. In this environment, you would need to create just five LPARs. How is that?

In Table 1 below, we have five different environments, consisting of a web server, an application server, and a database server. If we wanted to isolate our environments, the only way to do this would be through logical partitioning. That would involve architecting fifteen logical partitions. In today’s world of 99.9 percent availability, it is extremely common to give each application environment their own home. Doing so also ensures that you can most closely simulate your environment. With WPARs, we can now do that, without having separate AIX images.

Table 1. Web portal — LPARs only

Development (3 lpars)

Demo/Training (3 lpars)

Test (3 lpars)

Pre-Prod (3 lpars)

Production (3 lpars)

1.Dweb01

4.Trweb01

7.Tstweb01

10.Ppweb-01

13.Pweb01

2.Dapp01

5.Trapp01

8.Tstweb01

11.Ppapp01

14.Papp01

3.Dora01

6.Traora01

9.Tstora01

12.Ppora01

15.Pora01

Table 2 below illustrates how that is done. Each environment would have its own LPAR, with three WPARs created within each LPAR. Now let’s imagine if we had four web servers, two app servers, and two db servers supporting this environment. It can be a nightmare maintaining all these environments, ensuring that each is kept up to date with the latest OS revisions, and that backups and administration for each are in place. WPARs dramatically simplify the overall work-effort involved in administrating this environment, while at the same time minimizing the expense of having to assign physical resources to logical partitions.

Table 2. Web portal — WPARs inside of LPARs

Development 1 LPAR, 3 WPARs

Demo/Training 1 LPAR, 3 WPARs

Test 1 LPAR, 3 WPARs

Pre-Prod 1 LPAR, 3 WPARs

Production 1 LPAR, 3 WPARs

Dwparweb01

2.Trwparweb01

3.Tstwparweb01

4.Ppweb-01

5.Pweb01

1. Dwaparapp01

2.Trwpapp01

3.Tstwparapp01

4.Ppapp01

5.Papp01

1. Dwparora01

2.Trwparora01

3.Tstwparora01

4.Ppwparora01

5.Pora01

Playing nicely in the sandbox

WPARs also support the creation of sandbox environments, where applications can be tried and tested without danger of affecting the host or production environment, and this is an ideal use of WPAR. These environments would be used only by the systems administrators. It is here that administrators have the opportunity to install new software, test out new patches, install new technology levels and generally be free to break the system without any effect to the business. Unfortunately, it is always the sandbox that is the first environment that must be given up when a new application needs to be deployed. With WPARs, you can quickly create an isolated environment in which to play. With WPARs in place of LPARs, the process of creating sandboxes is much more efficient and there is no need to assign dedicated devices to them.

Quickly testing an application

The application WPAR can be created in just a few seconds. What better way is there to troubleshoot quickly an application or wayward process? As these are temporary resources, they are destroyed as soon as they end, simplifying the manageability of these partitions.

If you need to migrate and consolidate your old AIX 5.2 applications to run on the newer POWER environments supporting AIX 7.1 then you can use an AIX 5.2 Workload Partition. This provides all of the same functionality as a full installation of AIX 5.2, but with the isolation and control of resources as a standard WPAR, but with the entire environment of the versioned operating system environment.

There are some limitations with a version WPAR. In particular, as we’ve mentioned, you cannot share filesystems between multiple WPAR versioned environments. This means that if you need to share file-based resources between multiple applications they must be run within the same WPAR environment.

You should also be aware that the commands and system libraries within the versioned environment are those of the corresponding versioned WPAR with some exceptions. The file system, logical volume, and system performance commands within an AIX 5.2 WPAR are those of the host AIX 7.1 operating system. Care should be taken to ensure that any applications that make use of these commands are aware of the 7.1 commands and their environment. A list of the commands that are replaced by AIX 7.1 can be obtained using the following command: ODMDIR=/usr/lib/objrepos odmget overlay | awk '$1=="path" {print $3}'.

WPARS: When not to use them

In this section, we’ll discuss situations and scenarios where you may not want to use WPARs.

Security

As stated previously, WPAR processes can be seen by the global environment from the central LPAR. If you are running a highly secure type of system, this may be a problem for you from a security standpoint. Further, the root administrator of your LPAR will now have access to your workload partition, possibly compromising the security that the application may require.

Performance

Each WPAR within LPAR is now using the same system resources of the LPAR. You need to be careful when architecting your system and also when stress testing the system. For example, if you’re running a performance benchmark on your pre-production system after a new build has been deployed, and there are some developers working on the application server while you are testing your database, this will all be done within one LPAR sharing the same resources. Your teams will all need to understand that there will be competing resources now for the same product.

Availability

If you are in an environment where it is very difficult to bring a system down, it’s important to note that when performing maintenance on an LPAR that every WPAR defined will be affected. At the same time, if there is a system panic and AIX crashes, every WPAR has now been brought down. From this standpoint, LPARs without WPARs can provide increased availability across your environment, albeit at a cost that may be prohibitive.

Production

I’m extremely conservative when it comes to production. I like to run each tier in production within its own logical partition. I do this because I like the granularity and complete OS isolation that LPARs provide, without having multiple environments (web, application, and database) to worry about.

Physical devices and kernel extensions

Physical devices are not supported within a WPAR. While there is a way to export devices, this can be a big problem for applications that require non-exportable devices. In this case, they would be restricted to only running in the global environment. Also be aware that a WPAR has no access to the system kernel information, or the ability to install kernel extensions or have access to kernel extensions provided by the parent LPAR.

Creating, configuring and administering WPARs

In this section, we’ll create, configure and administer WPARs both system and application.

System WPARs

The mkwpar command creates the WPAR, installs the filesystems, software, and prepares the system (see Listing 1 below). It also synchronizes the root section of the installed software by installing and copying the various packages into the newly configured system.

Depending on the type of system you are using, creating a WPAR should take a couple of minutes. Note that a new WPAR is not started by default; you must start it manually.

To create a version WPAR, you must have an installation of AIX 5.2 to create a system image. This means that you can use an existing AIX 5.2 installation as the basis for your new WPAR. This image and the associated installation files are then merged with a WPAR system. The new WPAR system should also have a recognizable network name. The basic sequence is therefore:

Add the name of your new WPAR to your /etc/hosts, NIS, or DNS system so that the system can be located on the network.

Create a new mksysb image which will be used as the installation source for the new WPAR. You can create a suitable mksysb image from an AIX 5.2 system using: # mksysb -i /mksysb_images/install52, where install52 is the name of your image.

Copy or NFS mount the image to the LPAR were you will create your new WPAR.

Create a new WPAR using the system image as the basis for the new partition: # mkwpar -n NEWWPAR -C -B /mksysb_images/install52.

The remainder of the installation is similar to that of the creating a new WPAR, except that it will use the AIX 5.2 system image as the basis, installing the system packages for AIX 5.2 as an overlay on the WPAR.

To check the status of the installed and created WPARs, use the lswpar command (see Listing 2 below).

Your systems administrator can start and stop processes from the WPAR using the SRC or from the command line, just as they would from the global environment. As the global (LPAR) system administrator, you will note that your LPAR lists all of the WPAR filesystems individually, in addition to the host filesystems. If you are have multiple WPARs, then there will be groups of filesystems for each WPAR. WPAR has lots of filesystems. The WPAR environment is created under /wpars with a single directory for each WPAR; for example, the filesystems for WPAR dev02 are mounted under /wpars/dev02 (see Listing 7 below).

Creating filesystems

Let’s turn our attention back to the global environment. Let’s create a filesystem through SMIT. A WPAR does not have the ability to create a filesystem or volume group, instead you must do this from the global environment (LPAR).
You must make sure that the full path of the filesystem (including the WPAR path) is specified (see Figure 1).

Figure 1. The full path of the filesystem is specific in SMIT

Figure 2. The file system has been created successfully

After it’s successfully created, we’ll need to make one minor change to the filesystem: the mount group needs to be explicitly defined so that it matches the group of the new WPAR (see Figure 3). Note that this step is not necessary when using the command line to create the filesystem.

Figure 3. Explicitly defining the mount group

Now, let’s turn back to the WPAR where we’ll create the mountpoint and mount our newly created filesystem (see Listing 9).

Note, that you also cannot increase the size of a f/s from the WPAR, only from the global environment. You also cannot serve NFS filesystems from within the WPAR, but you can mount NFS shares within a WPAR.

Backups

Remember, there are no physical devices in a WPAR. When backing up the WPAR environment, we need to use the savewpar command, again from the global environment (see Listing 10 below).

Backing up a WPAR is generally much simpler and straightforward than a full backup, as a relatively limited number of files need to be stored. We can restore using the restwpar command.

Users and groups

You can maintain unique users and groups within the WPAR, either from the command line or through SMIT. The users configured within the WPAR are unique to the WPAR and are considered as completely separate to the host LPAR. You should understand that the root user for this environment does not have access to the global environment, only to the WPAR.

Within a WPAR using AIX 6.1 TL6 or AIX 7.1, you also have access to domain support when using the Role Based Access Control (RBAC).

Now, let’s turn our attention back to the global environment. We can clearly see in Listing 11 below that the user was not created in the global environment, only within that specific WPAR.

Listing 11. The user was not creating in the global environment

WPAR manager

It’s worth noting that there is a graphical tool called WPAR manager, which is Java® based and allows for the centralized management of WPARs.

While a thorough review of this utility is outside the scope of this article, it’s definitely worth looking at because using it will increase your ability to manage the overall environment. It will also help you harness innovations such as Workload Partition Manager and WPAR Mobility. Workload Partition Manager allows for resource optimization, allowing you to distribute workloads more efficiently throughout your managed system. WPAR mobility allows one to move running partitions from one frame to another, which increase availability of workloads during scheduled outages.

Application WPARs

An application WPAR is defined as a WPAR that allows an application and/or a process to run inside of it, similar to a wrapper. The WPAR is a full and isolated environment like a system WPAR, but it exists only for the life of the application that you want to execute. The application WPAR is only a temporary, not a permanent object, and it will end when the application and/or process ends. To create one, we use the wparexec command, as shown in Listing 12.

Of course, it is designed for running more complete applications than a simple directory listing, but you can see how quickly and easily a temporary WPAR can be used.

Summary

This article introduced WPARs and discussed the context in which to use them. We looked at various scenarios in which WPARs should be used. We also discussed the installation, configuration, and administration of WPARs, including AIX 5.2 WPARs, and how they relate to the global (LPAR) environment. We added users, created filesystems and backed up our WPARs. We also introduced utilities such as WPAR manager which could be used to help manage our WPAR environment. We looked at the different types of WPARs that are available and the limitations of application WPARs compared to system WPARs. We also looked at scenarios in which WPARs may not be considered. The bottom line is that WPARs are an important innovation of AIX 6.1 and AIX 7.1, and used judiciously, can increase your ability to manage effectively your system and reduce cost to the business.

Database Performance Tuning on AIX The Redbook, Database Performance Tuning on AIX, is designed to help system designers, system administrators, and database administrators design, size, implement, maintain, monitor, and tune a Relational Database Management System (RDMBS) for optimal performance on AIX.

Processor Affinity on AIX Using process affinity settings to bind or unbind threads can help you find the root cause of troublesome hang or deadlock problems. Read Processor Affinity on AIX (IBM Developer, November 2006) to learn how to use processor affinity to restrict a process and run it only on a specified central processing unit (CPU).